Just discovered some little shitbag got into our site through the /download vulnerability. I'd thought I'd secured that, so have now deleted that directory, turned off downloads, and reset main account password (server level).

Digging around I found that they had set up authorize.net to send credit card details to a yopmail account. Sorted that. Changed all passwords, etc.

By pure luck after removing the /downloads folder I got an error message in the admin that prompted me to look in the admin/controller/common folder... little fucker had edited login.php too!! Haven't seen anyone else report this - pretty simple script edit that emails through login info:

I dont know if it's related, but some brown dude uploaded this. He has been making rounds testing for payment gateways and/or trying to fraud to US addresses. Could be the same one who keeps trying to inject into a honeypot OC download folder and/or the same one who dropped that hack....potentially

Hi - I just wanted to firstly thank you tonybarns for detailing how you fixed your hack - it happened to us in January on v1.5.6 and your post was very helpful at tidying things up again.

Now on OpenCart v2, we have had the Authorize.net hack again - seemingly identical. So I am not sure if this does use the 'download vulnerability'...

I have posted on another thread about his hack - but I think it may be helpful to post here too as it came up in Google searches. :-)

We had the same symptoms: when you go to the checkout 'Authorize.net' appears as a payment option above all others... when the customer chooses it the payment cannot be made as it does not direct to a live account... but it may allow the hacker to obtain customer data... we cannot determine exactly what he was trying to get!

For anyone reading this who has this problem... please note the following:

1. VERY IMPORTANT: The login page has been hacked!
The login page code has been edited so that if you try and change the passwords, when you login again the Hacker receives the new password directly to his email account.

2. You CANNOT enable/disable Authorize.net via OpenCart admin.
The hack uses a file that by-passes this function completely so it has nothing to do with the payment settings you have set up. You must delete/replace hacked files via FTP to restore normal function.

3. You will have to fix this problem via FTP by locating and overwriting the changed files then changing your password (ideally through PhpMyAdmin). There is no point changing your passwords until AFTER you fix the login page hack.

We do not believe this hack requires the hacker is able to login... but we cannot be sure. In v1.5.6 we found all sorts of junk had been uploaded to the server... but I do not think this is the 'download vulnerability' people spoke about before as we are in V2 and we had already removed the list of file types that could be uploaded.

Here is how we fixed it:

Firstly, we had to find all the files that had been changed by the hacker... you will see that these have a 'Last modified' date that will be very recent compared to the other files (most of which will be the same date from the time of installation).

We found on both occasions that these were the files that had been changed:

However, we would advise you to check through the folders for any other new or recently modified files if the following instructions do not fix your problem.

We had a copy of the website elsewhere so we could see that not only were the last modified dates 'today' but the file sizes were notably different - so the code was not the same.

We suggest you take a full backup of your site via FTP - name it clearly as a 'hacked' version not to be re-uploaded.

Once this is done unzip a new local copy of your version of OpenCart... locate the the files listed above and copy them to a folder & subfolders (we called ours 'Authorize Hack Clean Files') . You will then be able to quickly upload if it ever happens again.

Then delete the files on the server and replace with the 'clean' files - this should be enough to fix the problem.

Please note:
You cannot simply rename the authorizenet_aim.php file - even if you change the name and remove the file extension - we found it kept loading the Authorize.net option in the checkout. It must be completely removed.

Once those changes are done, you can set up a new password for your accounts. We used a secure password generator to try and make it more certain it was not a hack via password login... we don't think it is... but we do not know how this hack is done.

Lastly we deleted all the allowed file types and meme types in the Settings > Uploads... we kept a copy of these lists in case we need to put any/all of them back again.

I hope these details help a few people out - i would really appreciate anyone listing any 'official' name for this hack as it seems to be happening often enough and in the same way, I imagine it has been identified by others too?

Well, the main OC User Problem might be, that only a small fraction of them
has much knowledge about what they're doing, in addition so-called Dev's,
and this makes it easy for Hackers, to do all kinds of things on such Sites!
Just to give you an example of 'wide open' CHMOD 777 OC Sites: https://www.google.com/search?q=%22index+of%22+Opencart

In addition, some Extensions might contain badcode, once in a while, but
since many Users don't know a thing, they are unable, to find out, where to
look, and how such Code looks like, in the first place. Many Dark-Net Sites
also offer paid OC Code for free, or almost free, and OC Users are unaware of,
that the People behind such 'offerings' usually have some plans, related to
hard cash, in one or the other way, so, it's usually not clean OC-Code related,
if a Site suddenly runs into such problems.

But, strictly technically/logically, one should not have a single Piece of Code
on a Server, wich is not used in real as well, like Authorizenet, Openbay, Amazon,
and/or other Payment/Shipping/Whatever 'Functions', but only have installed,
what is required to use. But since some of those Extensions are 'hardcoded' into
the Source, it's not so easy, to remove them all, without a certain knowledge about OC.

I am just now in the process of testing a Shop Site, where I removed Authorizenet,
Ebay, Openbay, and Amazon from the Source yesterday. it worked on spot, and if I am
lucky, then I won't find many misses, due to either removing too much, or too less,
in certain files, containing some Code or Scripts, related with those 'Functions'.http://www.ejacob.ch/cart/

But even Facebook got hit, so, there is always a chance, to get hacked. Especially for
those OC Users, allowing others to upload images and/or other files. I just found one
of those strange images, placed in a free Theme Extension, full of Code, and I only
found out about, because I wondered about it's sheer size, for a simple Background
Image. So, I had to make use of my famous Image STRIPPER Program again, to get all not
'required' Code out of all of my Shop Images, and thereby make 'em a little smaller in
Size as well.

Ernie

Attachments

XP Image Content Stripper, removes Links, Code, and other garbage out of images.

For Sale: Top URL's, including an OpenCart V-Pro Shop!
A wide range of matching Designs can be seen here: http://www.opencart.li
For Information on URL's offered, please contact me at: jti@jacob.chHundreds of Mods in 380+ Repositories for OC v.1.5.x - v.2.3.x
to be found on my Github Site: https://github.com/IP-CAM

Well, this Code is far from even beeing comparable with the OC Default way of
doing things, it's all highly Custom Code, from the top down to the bottom.
So, nobody would be able, to assist in anything, I fear ...
Good Luck!
Ernie

For Sale: Top URL's, including an OpenCart V-Pro Shop!
A wide range of matching Designs can be seen here: http://www.opencart.li
For Information on URL's offered, please contact me at: jti@jacob.chHundreds of Mods in 380+ Repositories for OC v.1.5.x - v.2.3.x
to be found on my Github Site: https://github.com/IP-CAM